North Korean hackers stole $400 million in cryptocurrency in 2021

North Korean hackers stole nearly $400 million worth of cryptocurrencies by hacking into seven companies in 2021, according to blockchain analysts at Chainalysis. A year earlier, the amount of stolen funds was estimated at $300 million.

The attackers laundered and cashed out most of the funds using special mixer services, as well as Asian crypto-fiat exchangers. But the hackers did not cash out all the stolen funds. Thus, Chainalysis experts discovered a cryptocurrency worth more than $170 million, which was stolen by hackers from 49 cryptocurrency exchanges between 2017 and 2021. And the attackers have clearly put that money aside for long-term storage.

All of the aforementioned attacks are attributed by analysts to the Lazarus hack group, although this name hides several separate North Korean groups at once. Typically, North Korean hackers operate in specific areas, including politically oriented cyber espionage, spying on dissidents, economic espionage, and theft.

It is the Lazarus division that is most often associated with hacking banks and cryptocurrency projects. The group is being tracked by US authorities as BlueNoroff, and the US Treasury Department calls these hackers a money-making machine for North Korea and its nuclear and ballistic programs.

Let me remind you that we wrote that the US authorities indicated two more members of the Lazarus group, and also that the Lazarus Group used ThreatNeedle malware against defense companies.

A recent Kaspersky Lab report published this week states that after years of investigation, BlueNoroff has been linked to multiple attacks targeting crypto companies in Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the US, Hong Kong, Singapore, UAE and Vietnam.

The campaign, which Kaspersky Lab monitors under the name SnatchCrypto, has been active since 2017 and uses malicious documents that are sent by hackers via email or LinkedIn to individuals working in cryptocurrency companies. As soon as the victim views such a file, their system is infected with a backdoor that allows attackers to take control of the machine.

The group’s other campaigns were less sophisticated and used regular LNK (Windows shortcut) files, but the end result was the same: BlueNoroff accessed the victim’s device.

The researchers write that in separate incidents, BlueNoroff went so far as to develop a malicious version of the Metamask extension for Chrome, which hackers installed locally on the victim’s device, replacing the extension with the real one.

The extension has been modified to detect when a victim initiates a transaction and then intercept the parameters of that transaction and send most of the funds to the BlueNoroff account.

Let me remind you that we also wrote about the CryptoCore hacker group have stolen $200 million linked to North Korea.